Perform operations on G Suite users, groups and roles via Workflow Automator


Orchestration apps let you automate repeatable tasks and actions that span across a diverse set of systems and applications using workflows. The list of actions supported for this app include:

User Management

  1. Get User

  2. Create User

  3. Update User

  4. Delete User

  5. Undelete User

  6. Make User Super Admin

  7. Reset Password

  8. Get Schema

Role Management

  1. Assign a Role To User

  2. Get Role Assignment

  3. Delete Role Assignment

    Group Management

  1. Get Group Details

  2. Create Group

  3. Update Group

  4. Delete Group

  5. Get Group Member

  6. Assign Member to Group

  7. Update group member

  8. Delete group member

  9. Check Group Member

  10. Assign Member to Multiple Groups


To install and authenticate the app you need to provide the following input:  

  1. Client Email 

  2. Private Key

  3. Private Key Id

  4. Email Id (The Gsuite account email address) 

Step 1: Create a Service Account

Set up a Service Account project in the Google API Console.

  1. Create a new project (or select an existing one)

  1. Click on Create service account.

  1. Under Service account details, type a name, ID, and description for the service account, then click Create.

  1. Under Service account permissions, select the IAM roles as 'Project Owner' to grant to the service account, then click Continue.

  1. Optional: Under Grant users access to this service account, add the users or groups that are allowed to use and manage the service account.


  1. After the service account is created, open the service account, click on "Edit" then click "Add Key" under "Keys", then click "Create New Key".

  1. Make sure the key type is set to JSON and click Create.

  1. Click Close > Save


  1. Then click on "Domain-Wide Delegation" and then tick "Enable G Suite Domain-wide Delegation".

  1. Save the downloaded JSON key.

Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you will need to generate a new one.

Note: The Client Email, Private Key and Private Key Id are obtained from Service account JSON file downloaded. 

Step 2: Enable Admin SDK API

  1. Open your project in the API Console. Click on ENABLE APIS AND SERVICES

  1. In the list of APIs, search and click Admin SDK API.

  1. Click on ENABLE to enable Admin SDK API

Step 3: Assign OAUTH Scopes for Admin SDK API

  1. Go to Admin console. From the Admin console,  go to Home > Security > API controls.

  1. Under Domain-wide delegation, click Manage Domain Wide Delegation.

  1. On the Manage domain-wide delegation page, click Add new.

  1. Enter the client ID of the service account or OAuth2 client ID of the app.

  2. Under the OAuth Scope, add each scope that the application can access.

  3. Click Authorize



Provide following OAuth scopes using the above steps

1. https://www.googleapis.com/auth/admin.directory.group

2. https://www.googleapis.com/auth/admin.directory.group.member

3. https://www.googleapis.com/auth/admin.directory.group.readonly

4. https://www.googleapis.com/auth/admin.directory.user

5. https://www.googleapis.com/auth/admin.directory.user.readonly

6. https://www.googleapis.com/auth/admin.directory.user.security

7. https://www.googleapis.com/auth/admin.directory.group.member.readonly

8. https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

9. https://www.googleapis.com/auth/admin.directory.rolemanagement